Page History

This compliant solution eliminates the possibility of undefined behavior resulting from a left shift operation on signed and unsigned integers.  Smaller sized integers are promoted according to the integer promotion rules \[[INT02-A|INT02-A. Understand integer conversion rules]\].

The result of {{E1 << E2}} is {{E1}} left-shifted {{E2}} bit positions; vacated bits are filled with zeros. According to C99, if {{E1}} has an unsigned type, the value of the result is {{E1 * 2 ^E2{^}}}, reduced modulo one more than the maximum value representable in the result type.  Although C99 specifies modulo behavior for unsigned integers, unsigned integer overflow frequently results in unexpected values and resultant security vulnerabilities (see \[[INT32-C|INT32-C. Ensure that integer operations do not result in an overflow]\]). Consequently, unsigned overflow is generally non-compliant and {{E1 * 2 ^E2{^}}} must be representable in the result type.  Modulo behavior is allowed if the conditions in the exception section are met.

Making assumptions about whether a right shift is implemented as an arithmetic (signed) shift or a logical (unsigned) shift can also lead to vulnerabilities (see \[[INT13-A|INT13-A. Do not assume that a right shift operation is implemented as a logical or an arithmetic shift]\]).